hydracrypt | 1c2cd97c6e7826df5b0281dcf54a65068a9a1caf4224ebba739a86a54dc51665

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2024 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
Size

164KB
MD5

08b304d01220f9de63244b4666621bba
SHA1

b7f9dd8ee3434b35fbb3395f69ff43fd5112a0c6
SHA256

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e
SHA512

162cc0fb48615c67ce6e104ca462c41aba79bad0d5409e837b300cffc34a1c9bed63f603eee7091b93edfcd772d8ab1e180fcb3aae6b07fe24413b8505815ae9
SSDEEP

3072:fHynAdzu0t5GtE13lkAB9z3KJZ3fCI1AjZ7yXgpiqQp:fHKautY3TzaJZarjZeXgpn

Score

10^/10

hydracrypt persistence ransomware spyware stealer

Malware Config

Signatures

HydraCrypt
Relatively unsophisticated ransomware family based on leaked CrypBoss source code.
ransomware hydracrypt
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (881) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

Drops startup file 3 IoCs

Processes:

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.hydracrypttmp_ID_c8524973	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.hydracrypt_ID_c8524973	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Internet Explorer Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe\""	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChromeSettingsStart3264 = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChromeSetings3264\\xamigufu.exe\""	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2288054676-1871194608-3559553667-1000\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2288054676-1871194608-3559553667-1000\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

description	ioc	process
File opened (read-only)	\??\Y:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\W:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\V:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\S:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\L:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\G:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\X:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\O:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\M:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\I:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\H:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\A:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\E:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\B:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\Z:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\T:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\R:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\Q:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\K:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\J:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\U:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\P:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
File opened (read-only)	\??\N:	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

description	pid	process	target process
PID 2976 set thread context of 1932	2976	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4772 1932 WerFault.exe afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
Runs net.exe

pid	pid_target	process	target process
4772	1932	WerFault.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

pid	process
2976	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
2976	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

WMIC.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	824	WMIC.exe
Token: SeSecurityPrivilege	824	WMIC.exe
Token: SeTakeOwnershipPrivilege	824	WMIC.exe
Token: SeLoadDriverPrivilege	824	WMIC.exe
Token: SeSystemProfilePrivilege	824	WMIC.exe
Token: SeSystemtimePrivilege	824	WMIC.exe
Token: SeProfSingleProcessPrivilege	824	WMIC.exe
Token: SeIncBasePriorityPrivilege	824	WMIC.exe
Token: SeCreatePagefilePrivilege	824	WMIC.exe
Token: SeBackupPrivilege	824	WMIC.exe
Token: SeRestorePrivilege	824	WMIC.exe
Token: SeShutdownPrivilege	824	WMIC.exe
Token: SeDebugPrivilege	824	WMIC.exe
Token: SeSystemEnvironmentPrivilege	824	WMIC.exe
Token: SeRemoteShutdownPrivilege	824	WMIC.exe
Token: SeUndockPrivilege	824	WMIC.exe
Token: SeManageVolumePrivilege	824	WMIC.exe
Token: 33	824	WMIC.exe
Token: 34	824	WMIC.exe
Token: 35	824	WMIC.exe
Token: 36	824	WMIC.exe
Token: SeIncreaseQuotaPrivilege	824	WMIC.exe
Token: SeSecurityPrivilege	824	WMIC.exe
Token: SeTakeOwnershipPrivilege	824	WMIC.exe
Token: SeLoadDriverPrivilege	824	WMIC.exe
Token: SeSystemProfilePrivilege	824	WMIC.exe
Token: SeSystemtimePrivilege	824	WMIC.exe
Token: SeProfSingleProcessPrivilege	824	WMIC.exe
Token: SeIncBasePriorityPrivilege	824	WMIC.exe
Token: SeCreatePagefilePrivilege	824	WMIC.exe
Token: SeBackupPrivilege	824	WMIC.exe
Token: SeRestorePrivilege	824	WMIC.exe
Token: SeShutdownPrivilege	824	WMIC.exe
Token: SeDebugPrivilege	824	WMIC.exe
Token: SeSystemEnvironmentPrivilege	824	WMIC.exe
Token: SeRemoteShutdownPrivilege	824	WMIC.exe
Token: SeUndockPrivilege	824	WMIC.exe
Token: SeManageVolumePrivilege	824	WMIC.exe
Token: 33	824	WMIC.exe
Token: 34	824	WMIC.exe
Token: 35	824	WMIC.exe
Token: 36	824	WMIC.exe
Token: SeBackupPrivilege	5116	vssvc.exe
Token: SeRestorePrivilege	5116	vssvc.exe
Token: SeAuditPrivilege	5116	vssvc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

pid	process
2976	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
2976	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exeafd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.execmd.exenet.execmd.exe

description	pid	process	target process
PID 2976 wrote to memory of 1932	2976	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 2976 wrote to memory of 1932	2976	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 2976 wrote to memory of 1932	2976	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 2976 wrote to memory of 1932	2976	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 2976 wrote to memory of 1932	2976	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 2976 wrote to memory of 1932	2976	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 2976 wrote to memory of 1932	2976	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 2976 wrote to memory of 1932	2976	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 2976 wrote to memory of 1932	2976	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 2976 wrote to memory of 1932	2976	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 2976 wrote to memory of 1932	2976	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 2976 wrote to memory of 1932	2976	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 2976 wrote to memory of 1932	2976	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
PID 1932 wrote to memory of 4700	1932	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1932 wrote to memory of 4700	1932	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1932 wrote to memory of 4700	1932	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1932 wrote to memory of 5016	1932	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1932 wrote to memory of 5016	1932	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1932 wrote to memory of 5016	1932	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1932 wrote to memory of 2228	1932	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1932 wrote to memory of 2228	1932	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1932 wrote to memory of 2228	1932	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1932 wrote to memory of 3056	1932	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1932 wrote to memory of 3056	1932	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1932 wrote to memory of 3056	1932	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 4700 wrote to memory of 1788	4700	cmd.exe	net.exe
PID 4700 wrote to memory of 1788	4700	cmd.exe	net.exe
PID 4700 wrote to memory of 1788	4700	cmd.exe	net.exe
PID 1932 wrote to memory of 1588	1932	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1932 wrote to memory of 1588	1932	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1932 wrote to memory of 1588	1932	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1788 wrote to memory of 400	1788	net.exe	net1.exe
PID 1788 wrote to memory of 400	1788	net.exe	net1.exe
PID 1788 wrote to memory of 400	1788	net.exe	net1.exe
PID 1932 wrote to memory of 3020	1932	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1932 wrote to memory of 3020	1932	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1932 wrote to memory of 3020	1932	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1932 wrote to memory of 800	1932	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1932 wrote to memory of 800	1932	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1932 wrote to memory of 800	1932	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1932 wrote to memory of 2220	1932	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1932 wrote to memory of 2220	1932	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1932 wrote to memory of 2220	1932	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 2228 wrote to memory of 824	2228	cmd.exe	WMIC.exe
PID 2228 wrote to memory of 824	2228	cmd.exe	WMIC.exe
PID 2228 wrote to memory of 824	2228	cmd.exe	WMIC.exe
PID 1932 wrote to memory of 5076	1932	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1932 wrote to memory of 5076	1932	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1932 wrote to memory of 5076	1932	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1932 wrote to memory of 3560	1932	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1932 wrote to memory of 3560	1932	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1932 wrote to memory of 3560	1932	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1932 wrote to memory of 4468	1932	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1932 wrote to memory of 4468	1932	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1932 wrote to memory of 4468	1932	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1932 wrote to memory of 3716	1932	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1932 wrote to memory of 3716	1932	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1932 wrote to memory of 3716	1932	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1932 wrote to memory of 5088	1932	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1932 wrote to memory of 5088	1932	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1932 wrote to memory of 5088	1932	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1932 wrote to memory of 1740	1932	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1932 wrote to memory of 1740	1932	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe
PID 1932 wrote to memory of 1740	1932	afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe	cmd.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
"C:\Users\Admin\AppData\Local\Temp\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Local\Temp\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
  C:\Users\Admin\AppData\Local\Temp\afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C net stop vss
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4700
  - - C:\Windows\SysWOW64\net.exe
      net stop vss
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1788
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop vss
        5⤵
        
        PID:400
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /All
    3⤵
    PID:5016
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:824
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Z: /All
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Y: /All
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=X: /All
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=W: /All
    3⤵
    PID:800
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=V: /All
    3⤵
    PID:2220
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=U: /All
    3⤵
    PID:5076
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=T: /All
    3⤵
    PID:3560
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=S: /All
    3⤵
    PID:4468
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=R: /All
    3⤵
    PID:3716
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=Q: /All
    3⤵
    PID:5088
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=P: /All
    3⤵
    PID:1740
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=O: /All
    3⤵
    PID:1120
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=N: /All
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=M: /All
    3⤵
    PID:4784
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=L: /All
    3⤵
    PID:4872
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=K: /All
    3⤵
    PID:3260
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=J: /All
    3⤵
    PID:4744
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=I: /All
    3⤵
    PID:2240
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=H: /All
    3⤵
    PID:3980
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=G: /All
    3⤵
    PID:972
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=F: /All
    3⤵
    PID:1168
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=E: /All
    3⤵
    PID:4596
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=D: /All
    3⤵
    PID:4740
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=C: /All
    3⤵
    PID:2344
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=B: /All
    3⤵
    PID:1140
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /For=A: /All
    3⤵
    PID:3392
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 964
    3⤵
    - Program crash
    PID:4772

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1932 -ip 1932
1⤵
PID:972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.hydracrypttmp_ID_c8524973

Filesize
126KB

MD5
4002839b3ffe71c549fe0db8e1b59234

SHA1
426c752c51c11ec4834914fa06c90f85a6707f0e

SHA256
b16af8030b8afcdd3e940d3600b63230f189512d21e18640bc4c6f8439874a11

SHA512
d39dfb0f060d661399297e9ec15da83504b307b97eb05b7e91779a32eb6b0cbf2d1e3f9336a56ec80fcc96f2b7b70bdc8ab34646189f3d7d7c283a10ffebbc99

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.hydracrypttmp_ID_c8524973

Filesize
28KB

MD5
4c646744573072747249d0aa3b94d0a1

SHA1
821d1879778a27b1caeffe5ec6c3148ee42b8faf

SHA256
87dbfea16050518a4debbcdc5ece5fc0195e90895e319bf50715eb42e01a6639

SHA512
bcbedae1d7fc6a4bc2e946d89ffdc562fa665bc5b4f7c4b6bd59c713e5ff1d3e8f36896dcef6a68590d56f1da8e7a4b489b199f446409f66d1a7b4da87f82836

Download Submit
C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml.hydracrypttmp_ID_c8524973

Filesize
1KB

MD5
7a74c1f103fabdb92e0f77d5d66dd6f9

SHA1
1a763d8921ffc0a7b3272058bc05191fc009ee82

SHA256
90153240c2ec8ad4992bbef401306ad60c9b5f3adec45d245af9d33be79fd058

SHA512
2d5f94e18d77ddaaaafb0dd042f72cba07c3440bb02acc4d9e31e6ba494c2345482732171a364ec3e4c9dda4d0defe7b6f1e18b7827cc9fb7ddfb12a2df65fd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml.hydracrypttmp_ID_c8524973

Filesize
333KB

MD5
f05cbd3efd4b316a0e995bdef80eeda4

SHA1
afedbce4a36b8280990adf081a603d801dd75c97

SHA256
e0d3ddd609096d24619a16e5f5ec61f048f7e895b137cd5a8b15f8ff5c7be701

SHA512
ade9715d8c13a7ec57d9ebef57c75dc41d2519133f8b8106ce94301e62c248f4ebeb2b10c7bcab1139a7b4e09e32b1be3d32be40aaf8b511527447bccc43193a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini.hydracrypttmp_ID_c8524973

Filesize
174B

MD5
5f8c50844437a569e8b8fb17805109bb

SHA1
24bfd97a4a90a71d0faca7227b962e531515c2f2

SHA256
4c5521f642c88188c41bcaaef3b42a6d734575d15fb23c47b7b23fd436ab57c1

SHA512
d046a6d9e33d99b4a3adbfaaeb0bb4514969a4757a6ffd9b0bea44e2b3f6a001dfdc2d0fedc870a29098b54961711d199ffb44c05c3cb501c578c73a81b54f8f

Download Submit
C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\Settings\settings.dat.hydracrypttmp_ID_c8524973

Filesize
8KB

MD5
73c6d697d667a5bf2389bde1bb6d09eb

SHA1
a56027221814ecbbb145a617c100851447ef8467

SHA256
38c3bf84b5d5b04f33c0f5fb84e364ab25a6144c58fe76ebcd5baacdac1693be

SHA512
3c0b40ac3f7c0f68a5112fa79ee5641f26d3ebb038613d999be6eb8ccfcb5503ebc7a34e805fd49a30664e0211631cf860f9b222620a3f2b57ebba1a602ce07d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.hydracrypt_ID_c8524973

Filesize
8KB

MD5
ab6a0998135dc7a797b87a62ab05c6e3

SHA1
a64976dddad4c42c26de94f4867cce0fdc434d3a

SHA256
0d8e270ae605d3902e280d79583831248a6ff0d8c85b63953225293fe1e6f1b6

SHA512
beb806b4627eb445f828d038dc8211649a37d97fdb4dcd099191528fdb0863b8dcbf67f8c3a899465969c0afc30f6f6863cb78f6076455a35f42fe5e96148a17

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{7c913f7c-d3d9-49c5-b502-f29fd5c7e740}\0.1.filtertrie.intermediate.txt.hydracrypttmp_ID_c8524973

Filesize
5B

MD5
ebfbaccc35658d101c169d6c9f899632

SHA1
ec849c1592625e3a618d63611cfe3a0f6cc64e54

SHA256
d0e1dac95565db670c4a58e489c5e67591bfe19dbb9d28d9998ac9bb77c0593b

SHA512
500fc189c631abe956cdb16daf399a9482fccfc8bdcdb134b5c9dea5cd535a02d817bb02d7cc23e53f8e4e4bd9b02088323737968e500d25aa7fef778603c253

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{7c913f7c-d3d9-49c5-b502-f29fd5c7e740}\0.2.filtertrie.intermediate.txt.hydracrypttmp_ID_c8524973

Filesize
5B

MD5
1005f5ef023aac8928d8a596dd79cb73

SHA1
705a8f2d59d6d788c83cf1f7c63899a3698147bf

SHA256
7e3bef4ebccee17fab77ccf3dae45bfed57d2ad710d2c8b67ab23567dab476d8

SHA512
e51d888738b5a566c928be4985065c8d7ec41d25c4709c7a83f1b99aa1b6fb2e041c4c3f1c8c101a4f5bde9af1cfea12711c3f7228e8b554d1828d2d017cdbde

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{d788b5ac-a173-4aea-af65-cc36d50361fe}\0.1.filtertrie.intermediate.txt.hydracrypt_ID_c8524973

Filesize
269B

MD5
ba9dd79c842f16688eca027f7bbaf027

SHA1
c6d8c5c8e4dd43f44241ff06c209f95308add823

SHA256
e11a3de8ae4963b4f1df7356a46bf6f94df85707b37eb3245d04666dad1360ff

SHA512
26d772e521a344950be6fb4bc43c8cc4ca0d290e75a376f60b6b5cc1dcbd5d0ade4b501416a0a77948dab05219ed60e8c8533bfac1a7356f6ffe0455d52ffed2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{d788b5ac-a173-4aea-af65-cc36d50361fe}\0.2.filtertrie.intermediate.txt.hydracrypt_ID_c8524973

Filesize
269B

MD5
b8af3ed32e7e9032de598750af41796c

SHA1
b0f8d8b40d774e453830691747c4639a523f6c0d

SHA256
bbe4199d3fed65c2a31a53f7981108d43b01942448f3424322c2fa5ad7ea061c

SHA512
8ff6dfef75abefee61f41223b26ec0eea30adae70cf09dfeadd3e5a99a9275a74fa5bc5beb9d5e831e53675625ff8dd1c35abe7da0a54d36cbe6cd3ac233a7fb

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133573951893978108.txt.hydracrypttmp_ID_c8524973

Filesize
77KB

MD5
a399007035615be310c56601c4b74aa2

SHA1
729bb4da77ebf26625d5b7669ba11ad7a54e4322

SHA256
35f653bb49ea758f5387bc7ffb35ba29eff437a7e9ad6fad609a164d3907bcf3

SHA512
d3553abe65ea177eebd3cd72bcf81c662521cdad220bb26b97dc546cca2e4e2aeda31a83c9ca8e6667c000240fec2510e70501006ee4ef211b781fb4825c291a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133573952470598170.txt.hydracrypttmp_ID_c8524973

Filesize
47KB

MD5
c84c032f5019aaeb0a13e848906bd66e

SHA1
444ecc11a507ca11cf1c5780a43f7c0d6b7ae99e

SHA256
b1c87c5e3fa38261b81bfa6b7dcdc17e60e3a8adf282744ff9a42ba5eca5b391

SHA512
996df60fe424d4b5d7ad027bfdd640c889e5b8cf6923565e982024dbb1aba55058bab4ba4972704a9db37140dce01b631f6731a108bddd7791cf2b1ef24a962e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133573959125774669.txt.hydracrypttmp_ID_c8524973

Filesize
63KB

MD5
0d83f320511d8d3ae75b0b81ef8496a8

SHA1
f4f397f0c5cd377dd214626199e23cf8286c9c2c

SHA256
e75a2e98b6ad26ab168ae4298ad5f72ced1d8493dc891218645ec87c2d94985d

SHA512
fe3f6bc7877b994e57ff0c37b3e8887ea51221dcefcac6806f6914c1a3d3f229b338bf7dbbea3061893a1afaf635d151b2d61307c31b528c517889121d947feb

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133573962273348529.txt.hydracrypttmp_ID_c8524973

Filesize
75KB

MD5
67a894d870184e2975e87e753c54941c

SHA1
4808256b135827e3fd54fb954ea2cc2303c4f17f

SHA256
9974cc50cf20309e8d1e5034e19d9d321df9a989278046887b338a681610abfe

SHA512
5567db8eaf9b754383f5b4d893a237b425fa0b039d6c2a7c5047c93a6a6cd83f39b7a02cdc98944d3056d79733f9300000dfb3880f686379fc1221b7d6ca35f5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133573995096058966.txt.hydracrypt_ID_c8524973

Filesize
75KB

MD5
8a432d04b3820c2cb0048ed4fe3e6ef2

SHA1
f54d1d1b482393127752ea4dd8f2cdf1ab7ca02a

SHA256
5ba857d2869821aa4a3cefcd792380437b94999aff6164f616561e71f9105313

SHA512
a284255e3e5268f79421db0e248dd3eab6c116c0d312237d1bba198a1b1aeb3f834cb4483fca1ee41dbc99cc6e013636901eb53861c058d53b8ade4ecc9d8541

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240412_113835246.html.hydracrypttmp_ID_c8524973

Filesize
94KB

MD5
a423a390f879a396ce700a9217228ff5

SHA1
24b1c3e5a35c5dcba9f947d210ac291477d787fd

SHA256
723de9b7deed458a4009b012634e27883f0ea29e3fb351b7d453914dd7d3a663

SHA512
55012716cbb2be76a729479e9b49966ee31031ac6833ea0d096fd6a802aa0770aaf6a4411fb68729e8525074af006cb56d2df5b1c39544dfadf0da959046113c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct5F27.tmp.hydracrypttmp_ID_c8524973

Filesize
63KB

MD5
babf86ec8a67c63bd0a9281cd1a76397

SHA1
e76b9796e8f313cafe14e2a6728373230e80ed11

SHA256
c7e28e9700c955e14664b7d7ffb7d2353724de4133678a3d0b8bf90bd26d92f0

SHA512
5410035a3d03507baa6b60574dc4147924a997b51ad76ec7d561e024b3bf26a96d9ad467f91a7d9ea67d017fda2c38f5e6870634308537973bc3f861f5e39825

Download Submit
C:\Users\Admin\AppData\Local\Temp\wctDB4C.tmp.hydracrypt_ID_c8524973

Filesize
63KB

MD5
eef35d11cd8db6cb657ff803eedb9a70

SHA1
6d7257ab37a424bb43be10ccd14c4332819b6a88

SHA256
52c7a6f3f0b550c3378b1ab00900bb59d1aff4fbe824151732b9d571e7d4b58f

SHA512
7305922e11c090ac4dfb9b6e2036e2114d1591a24d3e6a7b1c4d57db87c252c306c9d44d6af9e7c72578610869d5efc1c5a2fdadfb87a39817d829c7ae9ef211

Download Submit
C:\Users\Admin\AppData\Roaming\1$FUWW$FFHEX.dat

Filesize
1KB

MD5
28ee0b2201a56ae7af09261af9b4015d

SHA1
c5a2f438cbd15218a6cdada950398fcc4cbb4b38

SHA256
aa057b2017c778a64862d1a1f3dd5df5e7410110944d9ea56fb0e369c7c754c9

SHA512
a52246fd719f180124cf27fe568a32ab2ba202f02ea35e3e512b32ea9b056b344d6ef60799df932dd57d557cf21fc824d425a5f339a450d7b37c54a88a9f454c

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini.hydracrypttmp_ID_c8524973

Filesize
170B

MD5
4ffb5a304008f37a2918a73a5c6cdc83

SHA1
9d063eea94c026637c174a00dd1a36f087c76be5

SHA256
a71085eac21e443ddda11f373e0462bcbe3171eee09b6679160006cd0b708bb2

SHA512
7832286ed145b92eb3519955f817f00f8988cf7b7007dcd73a2e0beb41cc91bc558aafecf9c7081e9c9342879b0cc89b1530d8d3f69c513f1ed7293001c3f8aa

Download Submit
C:\Users\Public\Pictures\README_DECRYPT_HYDRA_ID_c8524973.txt

Filesize
915B

MD5
241e43485d709cc6db7e155e8a0be9fb

SHA1
d9babb84928a14be9459d388ebc3b06822fdc496

SHA256
7269843886d1c4ff40011aba0464daccb896d1464dc3de0931c774df3976e65e

SHA512
44512589a73be0023f62ebc3fb6b25c0909424ec70d8bf49ef93d4f03b75eecbe3130925d7b6f986c18f6579958c6e32489c337d8603f370d6a1cbb877845887

Download Submit
memory/1932-4-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1932-3751-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1932-3390-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1932-3-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1932-1-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1932-880-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1932-5148-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1932-5149-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/2976-0-0x0000000000AA0000-0x0000000000AA5000-memory.dmp

Filesize
20KB

Download